REPORT TO THE
PRESIDENT
Information SecurityOversight Office
National Archives and Records Administration
Executive Order (E.O.) 13526, “Classified National Security Information,” E.O. 12829, as amended, “National Industrial Security Program,” and E.O. 13549, “Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities.” The Information Security Oversight Office (ISOO) is a component of the National Archives and Records Administration (NARA) and receives its policy and program guidance from the National Security Advisor.
Authority
Mission
Functions
Goals » Promotes and enhances the system that protects the national security information that safeguards the American people and their Government.
» Provides for an informed American public by ensuring that the minimum information necessary to the interest of national security is classified and that information is declassified as soon as it no longer requires protection.
» Promotes and enhances concepts that facilitate the sharing of information in the fulfillment of mission-critical functions related to national security.
» Provides expert advice and guidance pertinent to the principles of information security.
» Develops implementing directives and instructions.
» Reviews and approves agency implementing regulations.
» Maintains liaison relationships with agency counterparts and conducts on-site and document reviews to monitor agency compliance.
» Develops and disseminates security education materials for Government and industry; monitors security education and training programs.
» Receives and takes action on complaints, appeals, and suggestions.
» Collects and analyzes relevant statistical data and, along with other information, reports them annually to the President.
» Serves as spokesperson to Congress, the media, special interest groups, professional organizations, and the public.
» Conducts special studies on identified or potential problem areas and develops remedial approaches for program improvement.
» Recommends policy changes to the President through the National Security Advisor.
» Provides program and administrative support for the Interagency Security Classification Appeals Panel (ISCAP).
» Provides program and administrative support for the Public Interest Declassification Board (PIDB).
» Reviews requests for original classification authority from agencies.
» Chairs the National Industrial Security Program Policy Advisory Committee under E.O. 12829, as amended.
» Chairs the State, Local, Tribal, and Private Sector Policy Advisory Committee under E.O. 13549.
ISOO oversees the security classification programs in both Government and industry and reports annually to the President on their status.
April 15, 2011
The PresidentThe White HouseWashington, DC 20500
Dear Mr. President:
I am pleased to submit the Information Security Oversight Office’s (ISOO) Report to the President for Fiscal Year (FY) 2010.
This report provides information on the status of the security classification program as required by Executive Order 13526, “Classified National Security Information” (the Order). It provides statistics and analysis concerning key components of the system, primarily classification and declassification, and coverage of ISOO’s reviews. It also contains information with respect to industrial security in the private sector as required by Executive Order 12829, as amended, “National Industrial Security Program.”
FY 2010 was a notable year for the security classification program. The initial implementation of Executive Order 13526 began in earnest and remains ongoing. To comply with your direction that a government-wide implementing directive be issued within 180 days, we led an interagency working group that developed 32 C.F.R. Part 2001 which became effective and binding on all appropriate Executive branch agencies on June 25, 2010.
However, we are concerned about delays in the issuance of agency regulations implementing the Order. Despite the preparation of agency drafts and the completion of our review last Fall, many agencies failed to issue their regulations in final form by December 2010 and many have yet to issue them as of the date of this letter. Regardless, we believe that the implementation of the Order is actually more advanced than it has been in the past following the issuance of major revisions of policy in this area and that the foundation being built is strong. We will continue to monitor agency progress, with a special focus on implementing regulations, security education and training programs, self-inspection programs, and measures designed to hold personnel accountable.
FY 2010 also saw the issuance of Executive Order 13549, “Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities.” In response to this, we established the State, Local, Tribal, and Private Sector (SLTPS) Entities-Policy Advisory Committee (PAC) which is now operational and providing valuable advice to the implementation process.
Respectfully,
William A. Cira Acting Director
Letter to the President
Summary of Fiscal Year (FY) 2010 Program Activity ...................................................1
Agency Implementation of E.O. 13526.............................................................................2
Classification...........................................................................................................................4
Declassification .................................................................................................................... 14
Reviews ................................................................................................................................. 23
Interagency Security Classification Appeals Panel .................................................... 25
National Industrial Security Program ............................................................................. 27
Table of Contents
2010 Report to the President | 1
Classification » Executive branch agencies
reported 2,378 original classification authorities (OCA), a 7 percent reduction from FY 2009 and the lowest number reported to date.
» Agencies reported 224,734 original classification decisions.
» Agencies reported using the ten-years-or-less declassifica-tion instruction for 74 percent of original classification decisions, the highest percent-age of use to date.
» Executive branch agencies reported 76,571,211 derivative classification decisions; a 40 percent increase from FY 2009. This is an expected increase due to revised reporting requirements intended to better capture classification activity in the electronic environment.
» Twenty-five percent of the classification guides reported as being currently in use had not been updated within the past five years as required, an improvement over last year’s reported number of forty-six percent.
Declassification » Under automatic declas-
sification, agencies reviewed 45,386,491 pages and declas-sified 24,238,273 pages of historically valuable records.
» Under systematic declassification reviews, agencies reviewed 5,797,022 pages, and declassified 4,630,410 pages.
» Under discretionary declas-sification reviews, agencies reviewed 1,903,832 pages, and declassified 181,607 pages.
» A total of 53,087,345 pages were reviewed for declassifica-tion and 29,050,290 pages were declassified.
» Agencies received 9,686 initial mandatory declassification review (MDR) requests.
» Agencies reviewed 331,782
pages under MDR, and declassified 213,425 pages in their entirety, declassified 96,268 pages in part, and re-tained classification of 22,089 pages in their entirety.
» Agencies reported carrying over 9,542 initial MDR requests into FY 2011.
» Agencies received 302 MDR appeals and processed 231 appeals.
» Agencies reviewed 3,330 pages on appeal, and declassified 1,308 pages in their entirety, declassified 1,057 pages in part, and retained classification of 965 pages in their entirety.
Summary of FY 2010 Program Activity
2 | Information Security Oversight Office
On December 29, 2009 President Obama issued
a Memorandum for the Heads of Executive Departments and Agencies entitled “Implementation of the Executive Order, “Classified National Security Information.” In this memorandum, the President said he expects personal commitment from the heads of departments and agencies, as well as their senior officials. He also stressed the importance of effective security education and training programs, self-inspection programs, and measures designed to hold personnel accountable.
The memorandum also directed all heads of departments and agencies to conduct a review to ensure that all delegations of original classification authority are limited to the minimum necessary to implement the Order and that only those individuals with a demonstrable and continuing need to exercise such authority shall have it. In following up on this requirement, ISOO determined that all agencies had completed this review. Data received from the agencies revealed a seven percent reduction in the number of officials with original classification authority.
The President’s memorandum also directed all agencies that create or handle classified information to issue regulations implementing the Order in final form within 180 days of ISOO’s publication of the government-wide implementing directive for
the Order. Each agency was also directed to provide a draft of their regulation to ISOO for review prior to issuance. Over a period of three months the ISOO staff reviewed and provided comments on 41 draft regulations. This was perhaps the most fruitful effort of the implementation process because it gave ISOO the opportunity to point out many important requirements of the Order that were either missing or out of date in the drafts.
As of March 15, 2011, only 19 of 41 agencies have issued their imple-menting regulations in final form: the Departments of Commerce, Housing and Urban Development, Justice, Labor, Transportation, and Veterans Affairs; the Federal Communications Commission; the Federal Maritime Commission; the Federal Reserve System; the Federal Trade Commission; the General Services Administration; the National Archives and Records Administration; the Nuclear Regulatory Commission; the Office of the Director of National Intelligence; the Overseas Private Investment Corporation; the Small Business Administration; the Selective Services System; the U.S. International Trade Commission; and the U.S. Postal Service. The
Agency Implementation of E.O. 13526
Department of Energy has issued 1 of 3 of its regulations.
ISOO has stressed to the remaining agencies the importance of updated regulations, which serve as the foundation for the classification system. Given that less than half of agencies have issued implementing regulations in the 15 months since the President issued the order and the 9 months since ISOO revised the government-wide implementing regulations for the order, it is clear that the means by which agencies modify and issue implementing regulations are not sufficient to accommodate changes in national security policy. ISOO sees this as the biggest impediment to implementing the reforms called for by the President and as a real threat to the efficient and effective implementation of the overall classification system.
Agencies are reminded of the need to conduct other actions to implement the President’s direction, the status of which will remain a focus of ISOO’s oversight in FY 2011:
» Updating component or local issuances implementing the Order, the Directive, and agency-issued regulations.
ISOO has stressed to the remaining agencies the importance of updated regulations, which serve as the foundation for the classification system.
2 | Information Security Oversight Office 2010 Report to the President | 3
» Updating classification guides to include the means by which the requirement to incorporate original classification decisions will be met.
» Conducting an initial “Fundamental Classification Guidance Review” under section 1.9 of the Order for those agencies with original classification authority.
» Updating security education and training program content and, if appropriate, providing
required training to original classification authorities and derivative classifiers.
» Conducting self-inspections, to include the regular review of a representative sample of your agency’s original and derivative classification actions.
» Compliance with section 5.4(d)(7) of the Order to en-sure that personnel that work with classified information are held accountable.
» Establishing a secure capa-bility to receive information, allegations, or complaints regarding over-classification or incorrect classification and to provide guidance to per-sonnel on proper classification as needed.
» Updating electronic marking tools and document templates to reflect changed or new requirements, such as the identification of persons who apply derivative classification markings.
4 | Information Security Oversight Office
Original Classification Authorities, FY 2010
Original Classifiers
Original classification authorities, also called
original classifiers, are those individuals designated in writing, either by the President, by selected agency heads, or by designated senior agency officials with Top Secret original classification authority, to classify
information in the first instance. Only original classifiers are authorized to determine what information, if disclosed without authorization, could reasonably be expected to cause damage to national security. Original classifiers must be able to identify or describe the damage.
In response to the President’s memorandum of December
29, 2009, agencies undertook a special effort to review their delegations of OCA which resulted in a reported decrease of 179 OCAs. The reported number of 2,378 OCAs in FY 2010 is yet another decrease in a downward trend, and the lowest number to date. In FY 2009, agencies reported 2,557 OCAs and in FY 2008 this number was 4,109.
Classification
140
500
1,000
1,500
2,000
2,500
TOTALConfidentialSecretTop Secret
901
1,463
2,378
4 | Information Security Oversight Office 2010 Report to the President | 5
Number of Original Classification Authorities, FY 1980 - FY 2010
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
2010
2008
2006
2004
2002
2000
1998
1996
1994
1992
1990
1988
1986
1984
1982
1980
7,149
6,94
3
6,90
0
6,75
6
6,65
4
6,49
2
5,79
3
5,46
1
4,42
0
3,90
3
4,130
4,00
6
4,00
7
4,04
2
4,10
9
2,37
8
6 | Information Security Oversight Office
Original Classification Activity, FY 2010
Original Classification
Original classification is an initial determination by an
OCA that information owned by, produced by or for, or under the control of the United States Government requires protection because unauthorized disclosure of that information reasonably could
be expected to cause damage to national security. In essence, these are the only new “secrets.”
The process of original classification must always include a determination by an OCA of the concise reason for the classification that falls within one or more of the authorized
categories of classification, the placement of markings to identify the information as classified, and the date or event when the information becomes declassified. By definition, original classification precedes all other aspects of the security classification system, including derivative classification, safeguarding, and declassification.
0
50,000
100,000
150,000
200,000
250,000
TOTALConfidentialSecretTop Secret
4,194
181,045
39,495
224,734
Classification
6 | Information Security Oversight Office 2010 Report to the President | 7
Original Classification Activity, FY 1989 - FY 2010
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
180,000
200,000
220,000
240,000
260,000
280,000
300,000
320,000
340,000
360,000
380,000
400,000
420,000
440,000
460,000
480,000
500,000
520,000
540,000
560,000
580,000
600,000
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
1989
507,79
449
0,97
5511,86
848
0,84
324
5,95
120
4,68
3167,84
010
5,163
158,78
8137,00
5169,73
522
0,92
626
0,67
8217,26
823
4,05
235
1,150
258,63
323
1,995
233,63
920
3,54
1183,22
422
4,73
4
8 | Information Security Oversight Office
FY 2010 Original Classification Activity by Agency
Department of State 154,872
Department of Justice 47,910
Department of the Army 13,057
Department of Defense 4,442
Executive Office of the President 3,346
Department of the Air Force 936
Department of the Navy 99
Department of Homeland Security 49
Office of the Director of National Intelligence
8
Millennium Challenge Corporation 8
Central Intelligence Agency 5
Department of the Treasury 1
Department of Commerce 1
Total 224,734
Agencies reported 224,734 original classification decisions for FY 2010, which is a 22.6 percent increase from the 183,224 decisions reported in FY 2009. From FY 1996 through FY 2010, the annual average of original classification decisions is 212,702.
Last year, we asked all the reporting agencies to either start or expand their counting of classification decisions in the electronic environment and most of them were able to comply with this request, resulting in a large increase in the number of derivative
Classification
decisions reported. This year, the new emphasis on counting electronic decisions has led to an additional increase of reported decisions in the original category.
The large number of original clas-sification actions is of concern, particularly at the Departments of State, Justice, and Army, which have consistently reported high numbers over time. We question whether many of these are truly original decisions. From a policy perspective, there should be little original classification activity and agencies should instead be
relying upon classification guides. The Order now states that all original classification decisions must be incorporated into clas-sification guides.
For the sixth year in a row, the majority of original classification decisions were assigned declassification dates of ten years or less. In FY 2010, the ten-year-or-less declassification instruction was used 74 percent of the time, an increase over the 67 percent reported in FY 2009 and the highest percentage to date.
Derivative Classification
Derivative classification is the act of incorporating,
paraphrasing, restating, or generating in new form information that is already classified and, therefore, are not considered new “secrets.” Information may be derivatively classified in two ways: (1) through the use of a source document, usually correspondence or publications generated by an OCA; or (2) through the use of a classification guide. A classification guide is a set of instructions issued by an OCA which identifies elements of information regarding a specific subject that must be classified and establishes the level and duration of classification for each such element.
Derivative classification actions utilize information from the original category of classification.
8 | Information Security Oversight Office 2010 Report to the President | 9
Use of the “Ten-Years-or-Less” Declassification Category
0
10
20
30
40
50
60
70
80
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
50% 50%
36%
50%54% 52%
34%
64%61%
74%
67%
58%57%57%59%
Since every derivative classifica-tion action is based on information whose classification has already been determined, it is essential that the origin of these actions be traceable to a decision by an OCA.
Agencies reported a total of 76.6 million derivative classification decisions in FY 2010. Agencies reported 54.7 million derivative classification actions in FY 2009, and 23.2 million in FY 2008. Methods for communicating classified information
electronically have expanded significantly, to include classified web pages, blogs, wikis, bulletin boards, instant messaging, etc. In FY 2009, ISOO issued new guidance that asked agencies to focus on counting classification decisions wherever they might occur. This naturally led to a large reported increase in the number of derivative decisions. As we explained in our FY 2009 Annual Report, this was expected to have an immediate impact and that this number would
continue to increase as agencies continued to refine their ability to count in the electronic realm. One notable example was the Department of State who told ISOO last year they would need more time to develop their ability to count electronic decisions, and they have now succeeded in doing that for this report. We do not expect the reporting in this category to stabilize until perhaps FY 2011, at which time we will hopefully have a new baseline for counting.
10 | Information Security Oversight Office
Derivative Classification Activity, FY 2010
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
70,000,000
80,000,000
TOTALConfidentialSecretTop Secret
21,477,245
36,003,512
76,571,211
19,090,454
Classification
In the 1970s, classified products were produced on single pieces of paper on typewriters.
In today's environment, classified products are produced in many electronic formats.
10 | Information Security Oversight Office 2010 Report to the President | 11
Derivative Classification Activity, FY 1996 - FY 2010
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
40,000,000
45,000,000
50,000,000
55,000,000
60,000,000
65,000,000
70,000,000
75,000,000
80,000,000
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
5,68
5,46
2
6,36
1,36
6
7,157,76
3
7,86
8,85
7
10,929
,943
8,39
0,05
7
11,054
,350
13,993
,968
15,294
,087
13,948
,140
20,324
,450
22,868
,618
23,217,557
54,651,765
76,571,211
12 | Information Security Oversight Office
Combined Original and Derivative Classification Activity
Combined Original and Derivative Classification Activity, FY 1996 - FY 2010
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
40,000,000
45,000,000
50,000,000
55,000,000
60,000,000
65,000,000
70,000,000
75,000,000
80,000,000
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
5,79
0,62
5
6,52
0,154
7,29
4,76
8
8,03
8,59
2
11,15
0,86
9
8,65
0,73
5
11,271,618
14,228
,020
15,645
,237
14,206
,773
20,556
,445
23,10
2,25
7
23,421,098
54,834
,989
76,795
,945
Together, original and derivative classification decisions make
up the combined classification activity. In FY 2010, the reported
combined classification activity is 76.8 million decisions, an increase of 22 million over the 54.8 million decisions reported for FY 2009.
Classification
12 | Information Security Oversight Office 2010 Report to the President | 13
Classification Challenges
Classification challenges provide a mechanism to
promote sound classification decisions. Authorized holders of information who, in good faith, believe its classification status is improper are encouraged and expected to challenge the classification status of that
information. Classification challenges are handled both informally and formally, and provide individual holders the responsibility to question the appropriateness of the classification of information.
ISOO’s program reviews have re-vealed that many authorized hold-ers of classified information are not aware of this provision, and there-fore, do not challenge classification
decisions as much as should be expected in a robust system.
Agencies reported 722 formal challenges in FY 2010, which is a significant increase over the 356 reported in FY 2009. It was also reported that of these 722 challenges, 84 percent were fully affirmed at their current classifica-tion status with the remaining 16 percent being overturned either in whole or in part.
14 | Information Security Oversight Office
Background
Declassification is defined as the authorized change
in status of information from classified to unclassified and is an integral part of the security classification system. There are four declassification programs within the Executive branch: automatic declassification, systematic declassification review, discretionary declassification review, and mandatory declassification review. Automatic declassification removes the
classification of information at the close of every calendar year when that information reaches the 25-year threshold. Systematic declassification review is required for those records exempted from automatic declassification. Discretionary declassification review is conducted when the public interest in disclosure outweighs the need for continued classification, or when the agency feels the information no longer requires protection and can be declassified earlier. Mandatory declassification review provides
1.46 Billion Pages Declassified, FY 1980 - FY 2010*
*Excluding Mandatory Declassification Review
for direct, specific review for declassification of information when requested. Since 1996, statistics reported for systematic declassification review and automatic declassification were combined because the execution of both programs is usually indistinguishable. This year, however, automatic, systematic, and discretionary declassification numbers were reported separately. Together, these four programs are essential to the viability of the classification system and vital to an open government.
0
50
100
150
200
250
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
1995
1980-
1994
Ave
rage
per
yea
r: 12
.6 m
illio
n pa
ges
Mill
ions
of P
ages
188.
3 m
illio
n
69 m
illio
n
196
mill
ion
204
mill
ion
193
mill
ion
127
mill
ion
75 m
illio
n
100
mill
ion
44 m
illio
n
43 m
illio
n
28 m
illio
n
29.5
mill
ion
37.6
mill
ion
37.2
mill
ion
31.4
mill
ion
28.8
mill
ion
29.1
mill
ion
Declassification
14 | Information Security Oversight Office 2010 Report to the President | 15
Pages Reviewed and Pages Declassified
During FY 2010, the Executive branch reviewed 45.4
million pages under the automatic declassification provisions and declassified 24.2 million pages.
Under systematic declassification review, agencies reviewed 5.8 million pages and declassified 4.6 million pages. Under discretionary declassification review, agencies reviewed 1.9 million pages and declassified 181,607 pages. A total of 53.1 million pages were
reviewed for declassification and 29.1 million pages (55.4 percent) were declassified. This remains consistent with FY 2009 data which showed that 52 million pages were reviewed and 28.8 million pages (54.8 percent) were declassified.
16 | Information Security Oversight Office
Number of Pages Reviewed and Declassified for Automatic Declassification, FY 2010
0 3 6 9 12 15
OPM
NRC
DHS
NARA
NASA
Justice
DOE
ODNI
Air Force
USAID
State
Army
Navy
CIA
DoD*13,182,2528,152,087
11,060,7801,165,836
10,725,0568,741,3045,733,6953,074,8233,410,0492,755,615428,500
69,487409,647176,239
270,07965,535115,303
4,92919,67315,02819,172
10,7565,9685,9685,240
4051,025
2005252
Millions of Pages
Age
ncy
TOTAL: 45,386,491 Pages Reviewed 24,238,273 Pages Declassified
Pages Reviewed
Pages Declassified
*Does not include Air Force, Army, and Navy
Declassification
16 | Information Security Oversight Office 2010 Report to the President | 17
0 1 2 3 4 5
Commerce
DHS
Navy
DoD*
State
DOE
EOP
USAID
NARA
Justice
Air Force
Pages Reviewed
Pages Declassified
4,027,6844,027,016
922,540278,530425,599231,416
342,80055,59038,15528,741
28,48313
9,9907,6621,3681,358
3202
8282
10
Age
ncy
Millions of PagesTOTAL: 5,797,022 Pages Reviewed 4,630,410 Pages Declassified
Number of Pages Reviewed and Declassified for Systematic Declassification, FY 2010
*Does not include Air Force, Army, and Navy
18 | Information Security Oversight Office
Number of Pages Reviewed and Declassified for Discretionary Declassification, FY 2010
0 .5 1 1.5 2
ODNI
DHS
DoD*
State
Air Force
CIA
USAID
Justice
DOE
Pages Reviewed
Pages Declassified
Age
ncy
Millions of PagesTOTAL: 1,903,832 Pages Reviewed 181,607 Pages Declassified
1,509,167127,430
280,90213,616
85,70013,89814,38413,077
7,0107,0004,9504,8711,6671,663
5050
22
MDR remains popular with some researchers as a less litigious alternative to requests under the Freedom of Information Act (FOIA), as amended.
Declassification
*Does not include Air Force, Army, and Navy
18 | Information Security Oversight Office 2010 Report to the President | 19
*Excluding Mandatory Declassification Review
Total Number of Pages Reviewed and Declassified,* FY 2004 - FY 2010
Mandatory Declassification Review
The MDR process requires a review of specific classified
national security information in response to a request seeking its declassification. Requests must be in writing and describe the record containing the information with sufficient specificity to permit the agency receiving the request to locate it with a reasonable amount of effort. MDR remains popular with some researchers as a less
litigious alternative to requests under the Freedom of Information Act (FOIA), as amended. It is also used to seek the declassification of Presidential papers or records not subject to FOIA.
Initial Requests
From FY 1996 through FY 2010, agencies received an average
of 4,393 initial requests per fiscal year. Agencies received 9,686 initial requests for MDR in FY 2010; 1,843 more than the 7,843 requests received in FY 2009. Agencies
processed 6,726 requests in FY 2010, a decrease of 378 requests from the previous fiscal year. The 6,726 requests processed in FY 2010 contained 331,782 pages. Of these, 213,425 pages were declassified in their entirety (64 percent); 96,268 pages were declassified in part (29 percent); and 22,089 pages remained classified in their entirety (7 percent).
MDR has proven to be a successful program. From FY 1996 through FY 2010, agencies received 75,581
0
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
70,000,000
80,000,000
FY 2010FY 2009FY 2008FY 2007FY 2006FY 2005FY 2004
5
5,88
7,22
2
28,4
13,6
90
60
,443
,206
29,
540,
603
68
,745
,748
37,6
47,9
93
5
9,73
2,75
3
3
7,24
9,39
0
5
1,454
,240
3
1,443
,552
51,9
83,5
87
28,
812,
249
53,0
87,3
45
29,0
50,2
90
Pages Reviewed
Pages Declassified
20 | Information Security Oversight Office
initial requests and processed 3,434,105 pages. As a result of initial MDR processing, only 285,418 pages (8 percent) remained classified in their entirety after an initial MDR review: 2,147,956 pages were declassified in their entirety (63 percent), and 1,000,731 pages were declassified in part (29 percent).
From FY 1996 through FY 2010, agencies carried over an average of 3,464 initial MDR requests from one fiscal year into the next. In FY 2009, agencies reported 6,582 initial requests carried over into FY 2010. This figure increased again in FY 2010 as agencies reported 9,542 initial requests car-ried over into FY 2011, an increase
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
Cases ProcessedTotal Case LoadInitial Requests Received
Carry Over from Previous Fiscal Year
Avg. FY 96-06
FY 2007
FY 2008
FY 2009
FY 2010
3,72
0 4
,040
4,
986
5
,843
6
,582
3,8
15
7,82
7
8,
264
7,
843
9
,686
7,5
35
11,8
67
1
3,25
0
13
,686
16,
268
3,79
6
6
,881
7
,407
7,1
04
6,7
26
MDR Program Activity - Initial Requests
of 2,960 from the previous year. In FY 2008, three agencies - NARA (2,586 requests), Department of Defense (DoD) (1,667 requests), and the Central Intelligence Agency (CIA) (1,063 requests) - accounted for the majority of requests carried forward into FY 2009. Those same agencies account for the major-ity of requests carried forward
Declassification
20 | Information Security Oversight Office 2010 Report to the President | 21
Denied:285,418 pages
Declassified in Part:1,000,731 pages Declassified in
their Entirety:2,147, 956 pages
63%
29%
8%
TOTAL: 3,434,105 pages
Disposition of MDR Requests, FY 1996 - FY 2010
Appeals
During FY 2010, agencies received 302 appeals of
agency decisions to deny informa-tion after processing and deciding upon initial MDR requests. Three agencies accounted for 85 percent of these appeals: CIA (93 appeals, 31 percent), Air Force (86 appeals, 28 percent), and DoD (78 appeals, 26 percent).
Agencies processed 177 appeals in FY 2009, and 231 appeals in FY 2010. DoD (83 appeals, 36 percent), Air Force (82 appeals, 35 percent), CIA (34 appeals, 15 percent), and Department of State (16 appeals, 7 percent) accounted for 93 percent of the total appeals processed in FY 2010. In FY 2009, agencies reported carrying 192 appeals into FY 2010. In FY 2010, 8 agencies
– CIA (130 appeals), NARA (59 appeals), DoD (42 appeals), State (11 appeals), Navy (8 appeals), Department of Energy (DOE) (8 appeals), Air Force (4 appeals), and Department of Justice (DOJ) (1 appeal) - reported carrying over 263 appeals into FY 2011.
Of the 231 appeals processed in FY 2010, agencies reviewed 3,330 pages, a decrease of 3,003
into FY 2010 - NARA (2,762), DoD (2,165), and CIA (996). The same agencies - NARA (5,512), DoD (2,210), and CIA (1,100) - again account for the majority of
requests being carried forward into FY 2011. The Office of the Secretary of Defense (OSD) is responsible for the majority of requests within DoD, and in
FY 2011, letters were sent to OSD, NARA, and CIA requesting they develop a plan to resolve the backlog and report quarterly on their progress.
22 | Information Security Oversight Office
from the 6,333 pages reviewed in FY 2009. The processing of MDR appeals by agencies in FY 2010 resulted in the declassification of information in 2,365 pages; 71 percent of the pages reviewed. Of these pages,
1,308 were declassified in their entirety (39 percent) and 1,057 were declassified in part (32 percent). Agencies affirmed the classification of 965 pages (29 percent) in their entirety. Since FY 1996, agencies processed
Disposition of MDR Appeals, FY 1996 - FY 2010
69,885 appealed pages. Of these, 12,527 pages were declassified in their entirety (18 percent); 29,867 pages were declassified in part (43 percent); and 27,491 pages remained classified in their entirety (39 percent).
Declassification
Denied:27, 491 pages
Declassified in Part:29,867 pages
Declassified in their Entirety:12,527 pages
43%
39%
18%
TOTAL: 69,885 pages
22 | Information Security Oversight Office 2010 Report to the President | 23
Declassification Assessments
In FY 2010, ISOO continued an initiative begun in FY 2008 to
evaluate the results of agencies’ automatic declassification review programs. ISOO developed this initiative as a means to evaluate agency automatic declassification review programs, disseminate the results to the agencies for the purpose of strengthening their programs, and inform the declassification community as a whole by identifying best practices and correcting common errors. Using Standard Form (SF) 311, Agency Security Classification Management Program Data, submission data from FY 2009, ISOO identified 15 agencies whose declassification programs were substantial enough to warrant assessment. Each agency was contacted in March 2010 and asked to provide information on bodies of records for which they completed declassification reviews during the six month period from October 1, 2009, through March 31, 2010. ISOO analysts used the data collected to determine the sample size and specific documents to review during onsite declassification assessments.
From May through August 2010, ISOO analysts conducted on-site declassification assessments and evaluated the program results for each of the 15 agencies. Assessments focused on three areas of concern: missed equities,
inappropriate referrals, and improper exemptions. A commonly missed equity was the mention of the security classification interest of one agency in the record of another agency that had not been identified by the initial reviewer for referral to that agency. Inappropriate referrals denoted occasions when referrals were made to agencies that lacked the authority to exempt information from declassification or had waived their interest in the information. Improper exemptions included instances in which agencies attempted to exempt a record from automatic declassification under an exemption category not permitted by that agency’s declassification
guide as approved by ISCAP. The occurrence of any of these three issues was noted by ISOO analysts and factored into the agency score. In addition to these three categories of findings from within the statistical sample, ISOO analysts examined records from outside the sample in order to develop a more complete picture of agencies’ declassification programs.
Within the statistical sample, ISOO analysts did not encounter any examples of missed equities and only identified one instance of an inappropriate referral. Instances of improper exemptions were dis-covered in 4 of 15 agency samples.
Reviews
Agency ResultFederal Bureau of Investigation 100
Joint Staff 100
Missile Defense Agency 100
National Security Agency 100
Office of the Secretary of Defense 100
Department of State 100
National Geospatial-Intelligence Agency 98
Department of the Army 96
Defense Intelligence Agency 90
Defense Threat Reduction Agency 90
National Reconnaissance Office 88
U.S. Agency for International Development
80
Central Intelligence Agency 76
Department of the Navy 76
Department of the Air Force 50
24 | Information Security Oversight Office
Security Classification Guides
In evaluating the various pro-grammatic aspects of agencies automatic declassification review programs, ISOO has noted sev-eral areas of improvement from FY 2008 and FY 2009. Agencies are reviewing age-appropriate records that are between 20-25 years of age. Agencies are also appropriately using the SF 715, Declassification Review Tab, that standardizes declassification review determinations and helps facilitate the processing of refer-rals as well as overall archival processing. Finally, agencies are making more informed referrals. ISOO only identified one instance of an agency inappropriately making a referral based on let-terhead instead of the content of the information.
The results of these assess-ments were recorded, and scores were assigned to the agencies.
Number of Guides Updated
Within Last Five Years: 1,863
Number of Guides Not Updated Within Last Five Years: 612
75%
25%
Number of Security Classification Guides: 2,475
ISOO allocated up to 60 points for the objective findings within the statistical sample and up to 40 points for the programmatic observations, for a possible total of 100 points. Of the 15 agencies ISOO assessed, 10 received scores of 90 or above, 4 received scores from 70 to 89, and 1 received a score of 69 or below. ISOO is pleased to report that agencies continue to show improvement in their declassification programs since the inception of this program in FY 2008. The average score increased by over 13 percent, and the number of agencies receiving scores of 90 or above increased 31 percent. Additionally, six agencies received perfect scores in FY 2010; there were no perfect scores in FY 2008 and only two in FY 2009.
ISOO will continue to conduct annual assessments, provide agency-specific training, and issue
notices to agencies in order to provide specific guidance on areas of concern they encounter.
Classification Guides
In FY 2010, ISOO revised the SF 311 and expanded the
required information to meet the reporting requirements of the Order. This included a new requirement to report on the number of security classification guides created by each agency. Additionally, each agency reports the number of guides that had not been reviewed or updated within the past five years. Agencies reported a total of 2,475 security classification guides. Of these, 75 percent (1,863) have been reviewed/updated within the last 5 years. This is an increase from 54 percent in FY 2009 and a substantial change from 33 percent in FY 2008.
With the issuance of the Order and the Directive, agencies with original classification authority and security classification guides were mandated to conduct a fundamental classification guidance review. The purpose of the review is to ensure classification guidance reflects current circumstances and to identify classified information that no longer requires protection and can be declassified. ISOO will continue to provide guidance and assistance to the agencies during this review process.
Reviews
24 | Information Security Oversight Office 2010 Report to the President | 25
Authority
Section 5.3 of Executive Order 13526, "Classified National
Security Information."
Functions1. To decide on appeals by
persons who have filed classification challenges under section 1.8 of E.O. 13526.
2. To approve, deny, or amend agency exemptions from automatic declassification as provided in section 3.3 of E.O. 13526.
3. To decide on appeals by persons or entities who have filed requests for mandatory declassification review under section 3.5 of E.O. 13526.
4. To appropriately inform senior agency officials and the public of final Interagency Security Classification Appeals Panel (the Panel) decisions on appeals under sections 1.8 and 3.5 of E.O. 13526
Members*William H. Leary, Chair National Security Staff
Mark A. BradleyDepartment of Justice
Margaret P. GrafeldDepartment of State
Interagency Security Classification Appeals Panel
Laurence K. BurgessDepartment of Defense
Michael J. KurtzNational Archives and Records Administration
Corin StoneOffice of the Director of National Intelligence
Joseph W. LambertCentral Intelligence Agency
Executive SecretaryWilliam J. Bosanko, Director Information Security Oversight Office
Support StaffInformation Security Oversight Office
Background
The Panel was created under Presidential executive order
in 1995 to perform the functions noted above and began meeting in May 1996. The permanent mem-bership is comprised of senior-level representatives appointed by the Secretaries of State and Defense; the Attorney General; the Director of National Intelligence; the Archivist of the United States; and the National Security Advisor. Section 5.3(a)(2) of E.O. 13526 provides for the appointment of a temporary representative to the Panel from the CIA to par-ticipate as a voting member in all
deliberations and support activities that concern classified informa-tion originated by the CIA. The President selects the Chairperson, the Director of the Information Security Oversight Office serves as its Executive Secretary, and ISOO provides staff support.
Mandatory Declassification Review Appeals
During FY 2010, the Panel allocated a majority of its
time and resources to processing MDR appeals. The documents within these MDR appeals came before the Panel either classified in part or in their entirety and were properly filed with the Panel in accordance with E.O. 13526 and the Panel’s bylaws. In FY 2010, the members decided on 212 documents that were appealed to the Panel. This is 140 more documents than had been decided upon in FY 2009, and represents a 194 percent increase in productiv-ity. The Panel declassified ad-ditional information in 145 docu-ments (68 percent), and affirmed the prior agency classification decisions in 67 documents (32 percent). Of the 145 documents in which information was declassi-fied, 78 documents (54 percent) were declassified in their entirety and 67 documents (46 percent) had some portions declassified while the classification of other portions was affirmed.
*Note: The individuals named in this section were in these positions as of the end of FY 2010.
26 | Information Security Oversight Office
Since May 1996, the Panel has decided upon a total of 1,053
documents. Of these, the Panel declassified additional information in 65 percent of the documents. Specifically, 266 documents (25 percent) were declassified in their entirety and 424 documents (40 percent) had some portions declassified while the classification of other portions was affirmed. During this time frame, the Panel fully affirmed the classification decisions of agencies in 363 docu-ments (35 percent).
Mandatory declassification review remains a popular method for members of the public as a means to request a declassification review of specific documents. The increasing number of initial MDR requests to agencies has led to challenges in processing MDR cases within the time frames outlined in E.O. 13526 and 32 C.F.R. Part 2001.
Additional information may be found on the ISOO website: www.archives.gov/isoo/oversight-groups/iscap
If you have any questions, please contact the support staff:
Telephone: 202.357.5250Fax: 202.357.5907E-mail: [email protected]
AffirmedClassification:67 documents
Declassified in Part: 67 documents
Declassified in their Entirety: 78 documents
32%
32%
36%
TOTAL: 212 documents
ISCAP Decisions, FY 2010
ISCAP Decisions, May 1996 - September 2010
Interagency Security Classification Appeals Panel
Affirmed Classification:
363 documents
Declassified in Part:424 documents
Declassified in their Entirety:266 documents
25%
40%
35%
TOTAL: 1,053 documents
2010 Report to the President | 2726 | Information Security Oversight Office
ISOO is responsible for imple-menting and overseeing the
National Industrial Security Program (NISP) under E.O. 12829, as amended, issued in 1993. This oversight responsibility is primar-ily executed through the National Industrial Security Program Policy Advisory Committee (NISPPAC), a Federal Advisory Committee organized pursuant to section 103 of E.O. 12829, as amended. Membership of the NISPPAC is comprised of both Government and industry representatives and chaired by the Director of ISOO.
The NISPPAC advises on all matters involving the policies of the NISP and is responsible for recommending changes to industrial security policy, specifically E.O. 12829, as amended, its implementing directive (32 C.F.R. Part 2004), and the National Industrial Security Program Operating Manual (NISPOM). The NISPPAC meets at the request of the Chairman, but at least twice during the calendar year, and the meetings are open to the public in accordance with the Federal Advisory Committee Act.
During FY 2010, three meetings of the NISPPAC were held. The following issues were presented and discussed: personnel security clearance (PCL) processing, trust suitability determinations, certification and accreditation of information systems, foreign
National Industrial Security Program
ownership, control or influence of NISP facilities, reporting requirements concerning intrusions of unclassified information systems, status and plan for eliminating non GSA-approved security containers, industry access to threat data, and revisions of the NISPOM and 32 C.F.R. Part 2004. Additionally, the NISPPAC discussed the issuance of E.O. 13549, which brings the oversight of companies that enter into contracts that require access to classified information with state, local, or tribal governments under the NISP.
The PCL working group continued to review and analyze a comprehensive set of metrics that measure the timeliness of PCL processing for industry. This analysis resulted in the formation of an ad-hoc working group to look specifically at the chief causes of rejections of PCL requests. Preliminary results indicate that electronic fingerprinting system capability needs to be readily available on a cost-effective basis to government and industry in order to substantially minimize the current reject rate.
The Certification and Accreditation (C&A) working group continued its review and analysis of the process for obtaining approval to use classified information on information systems. The group continues to recommend changes to standards and metrics
to improve the timeliness and effectiveness of the C&A process and to ensure that it is consistent with national policy.
With the issuance of E.O. 13526 and 32 C.F.R. Part 2001, the need to address substantive policy changes impacting industry’s compliance with their provisions resulted in an effort to revise the NISPOM. To maximize the effectiveness of this effort, the NISPPAC, working with DoD as the NISP executive agent, co-directed numerous review sessions to ensure industry, the Cognizant Security Activities, and other affected agencies were provided an opportunity to review and recommend revisions to existing guidelines and proposed changes. A revised NISPOM is expected to be issued in FY 2011. Information on the NISPPAC is available on the ISOO website (http://www.archives.gov/isoo/oversight-groups/nisppac).
With the issuance of E.O. 13526 and 32 C.F.R. Part 2001, the need to address substantive policy changes impacting industry’s compliance with their provisions resulted in an effort to revise the NISPOM.
Information Security Oversight Office National Archives Building 700 Pennsylvania Avenue, NW Washington, DC 20408-0001
Telephone: 202.357.5250Fax: 202.357.5907E-mail: [email protected] Site: www.archives.gov/isoo